FTC Guidelines Deliver Strong Message to Companies

The Federal Trade Commission has ramped up an 18 month-old crackdown on companies that exploit consumer data, issuing non-binding guidelines on how information should be collected, stored and used.

The agency released the customer privacy guidelines in late March, telling companies that they should only collect information that is relevant to a particular transaction, and that they should purge the data when it is no longer needed for that particular sale.

For example, the FTC told CIO Journal that it is acceptable for a florist to use data mining techniques to discover whether a customer who is buying begonias also likes roses. But if the florist wants to know which sports teams a consumer roots for, so that it can make a cross-marketing deal with a franchise, it should ask the customer explicitly. That would be a huge change from the common practices of today, in which many companies routinely use online software programs known as cookies, which can secretly capture such information in the background as people surf the web. Most users are unaware of the tracking capabilities of cookies.

FTC.gov

FTC Commissioner David Vladeck

The guidelines are described as voluntary and non-binding, but companies ought to pay attention to what the FTC considers fair practice. The FTC has filed complaints against Google and Facebook during the last year and a half, pushing both companies to allow 20 years of audits and reform their privacy practices. “I think one message we can send: If we bring cases against Google and Facebook we can bring cases against anyone,” said David Vladeck, director of the agency’s bureau of consumer protection. “We need to clean up commerce on the Internet.”

Linda Goldstein, an advertising attorney at Manatt Phelps & Phillips, who has defended cases brought by the agency, says the guidelines telegraph what the FTC believes are unfair or deceptive practices, which they have broad authority to pursue under federal law.

“These guidelines don’t have the force of law but it gives strong insight into what the FTC believes are proper privacy practices,” said Goldstein. She says companies that don’t comply with the new guidelines will risk FTC action, because the agency, “will say it’s a deceptive practice to keep data longer than necessary or collect more data than you need.”

Vladeck says the privacy report is just the latest effort in the agency’s push to establish “rules for the road” in the online marketplace, which the FTC still considers new, with few established norms. And he says the agency’s aggressive phase will continue, though he emphasizes that enforcement is a last resort. “We prefer compliance over enforcement,” said Vladeck. “But we’re not shy about making cases.”

Agency officials say the guidelines do not extend their authority to bring cases. But the recommendations do help to serve as a warning to companies that break existing rules, Vladeck said. One example of this would be changing data sharing policires without first telling the customer.

“The report has many purposes,” Vladeck said. “The most important is to establish best practices. But it does also reinforce the enforcement message.”

FTC Commissioner J. Thomas Rosch, who was the only member of the four-person panel to vote against the new rules, described the guidelines as a “paternalistic” overreach of the agency’s authority. He said they will be used to exert too much government control over online companies.

“The report broadly alludes to the fact that we will take actions if we are not satisfied with the alacrity with which the principles are being adopted,” Rosch said.

The factors that render the electrical grid vulnerable to cyber attack are strikingly similar to the cyber risk issues faced by health care, financial services, and other industries. But one recent malware campaign targeting utilities shows just how exposed the grid remains to cyber threats.